unshare [options] program [arguments]
Unshares the indicated namespaces from the parent process and then executes the specified program.
The namespaces can optionally be made persistent by bind mounting /proc/pid/ns/type files to a filesystem path and entered with nsenter(1) even after the program terminates. Once a persistent namespace is no longer needed, it can be unpersisted with umount(8). See the EXAMPLES section for more details.
The namespaces to be unshared are indicated via options. Unshareable namespaces are:
unshare since util-linux version 2.27 automatically sets propagation to private in a new mount namespace to make sure that the new namespace is really unshared. It's possible to disable this feature with option --propagation unchanged. Note that private is the kernel default.
See clone(2) for the exact semantics of the flags.
To be able to call setgroups(2), the calling process must at least have CAP_SETGID. But since Linux 3.19 a further restriction applies: the kernel gives permission to call setgroups(2) only after the GID map (/proc/pid/gid_map) has been set. The GID map is writable by root when setgroups(2) is enabled (i.e. allow, the default), and the GID map becomes writable by unprivileged processes when setgroups(2) is permanently disabled (with deny).
unshare(2), clone(2), mount(8)
Mikhail Gusarov Karel Zak
The unshare command is part of the util-linux package and is available from ftp://ftp.kernel.org/pub/linux/utils/util-linux/.